Re: Unable to use ssh-agent with confirmation, when logged in on a virtual terminal

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

Johannes Kastl wrote:

On 03.11.2014 Johannes Kastl wrote:


I am trying to get ssh-add with the -c option to work. But I
always get this error:

Agent admitted failure to sign using the key.

Mark and Angel replied on and off the list, and both suggested that
the SSH_ASKPASS variable is set wrong.

I thought that these variables are for using *graphical* programs to
ask for the passphrase. And on most of my machines, no X server is
even installed. So I thought these variables are not necessary, and it
does not matter it they are empty.

As I replied to Angel, I would have thought that there is a fallback,
but apparently this is not the case. Or it is not working.

There's no fallback.


However, when I set SSH_ASKPASS to /usr/lib/ssh/ssh-askpass and the
DISPLAY variable to 'foo', I still get the error.

/usr/lib/ssh/ssh-askpass is a graphical application, so it won't work
on the console.
Try using:

DISPLAY=foo SSH_ASKPASS=/bin/true ssh-agent bash

 ssh-add -c /path/to/keyfile
 ssh machine


This time it should work (works here). Using /bin/true means that it will always
answer "yes", but enough to show it is working. You should instead make a program
using getpass(2) or maybe a shell script that asks you.
The SSH_ASKPASS should print the text written on stdin, and return the user answer
on stdout (the agent will sign the key if it is "yes" or an empty string).




I noticed that on the one machine with the graphical gui, I get the
prompt via kwallet (KDE's password safe), but it is enough to click OK
to allow this request. But I had to unlock my password safe first.
I think you are not using ssh-agent but Kwallet (it can also serve as ssh agent). 


And the SSH_ASKPASS variable is set to /usr/lib/ssh/ssh-askpass on
this machine. So maybe this is really just a prompt for machines with
a running X server...

That is currently how it works. But the above hack should solve it :)


@openssh devs: Is there a reason not to fall back to getpass(2) ?


Best regards

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux